Could anyone please let me know if there are any major security risk for the scenario below?
Scenario: I’ve a WCF web services hosted in azure. Instead of buying a
third party X.509 Certificate, I would like to generate our own
self-signed certificate and provide my ROOT CA to the third party
clients. They then import the ROOT CA to their certificate store. This
would then enable a https with self signed certificate.
I’m quiet new to X509 Certificate and SSL etc. If anyone could let me know the PROS and CONs of this solution will be great.
Thanks.
It’s secure if your clients are willing to accept a self-signed certificate.
The main idea behind X.509 is trust – that is to say, when you accept a certificate as proof of identity, you’re not trusting them, you’re trusting the authority who issued the certificate.
In the case of self-signed certificates, the authority (issuer) and the thing it’s identifying are the same thing. Except self-signed certificates are not root certificates, and don’t actually designate a signing authority. That means that many policies and systems actually consider them invalid, and one must jump through several hoops and change configuration options (including those in WCF) to enable them to be used. Your clients will be wading through a whole bunch of DO NOT DO THIS warnings in the process.
Self-signed certificates are mainly intended for development. They’re “secure” in the sense that they do what it says on the tin, but it’s like paying with a handwritten IOU note instead of a check. Is it authentic? Who knows?
If you have the time, I’d really recommend shelling out the $50 for a certificate or setting up an actual PKI if you plan to issue several of these. The clients are less likely to laugh at you if they have competent IT staff.